Hackers broke into Caesars Entertainment last week, the company said in a Securities and Exchange Commission filing Thursday, making it the second major Las Vegas hotel and casino operator to disclose it had been hacked in recent days.
In its filing, Caesars said that the hackers had gained access to some customer information, such as driver’s license information and Social Security numbers of people signed up with the Caesars loyalty program.
Notably, unlike MGM, Caesars has not experienced public service outages from being hacked. Caesars said that it had “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
Caesars didn’t respond to an email requesting clarification on that language. But cybersecurity experts said they understood it to mean that Caesars had paid the hackers, which could explain why the company avoided MGM’s fate.
“Ransomware operators typically only delete data if the ransom is paid,” said Brett Callow, an analyst at the ransomware remediation company Emsisoft. “Organizations that choose to pay are paying for a pinky promise from cybercriminals.”
Cybercriminals seeking an extortion payment often gain access to a victim’s computer networks, then either encrypt file systems by installing malicious software called ransomware, threatening to release sensitive information, or both. Such attacks present a difficult decision for victims: avoid paying and potentially deal with the fallout from disclosures or destructive cyberattacks, or give money to cybercriminals and trust them to retreat.
“That is an EXTREMELY artful way of saying, oh yea we paid even though we know ransomware groups are lying bastards who won’t actually delete the data,” Allan Liska, a ransomware expert at the cybersecurity company Recorded Future, tweeted of the Caesars filing.